Wednesday Dec 11, 2013

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain. This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

Works on the concept of 'Sand-boxing' the application execution.

Provides a secure run-time container for each managed application and its data.

Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application WrappingThis strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based IntegrationSpecific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual PersonaThis is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted SpaceApplications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened. Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.

Restricting a user’s ability to access, copy, paste or edit data held within the application container.

Enforcing security policies that govern access to the containerized data

Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.

Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile ServicesMobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investmentsSalient features of 'Mobile Services' are as follows

AuthenticationUnder the hood, the basic Authentication process is powered by Oracle Access Manager. A typical use case encapsulates the following set of events

The user launches the mobile application on his device which the him to the Mobile SSO Agent.

Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.

Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.

After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.

OAMMS Authentication Process

AuthorizationThe Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign OnWith SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.

It orchestrates and manages device registration, risk based authentication.

Ensures that the user credentials are never exposed to the mobile business application.

It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

oaam.session handle, which represents an OAAM login session for a client application

The above mentioned 'handles' drive the 'device registration' process

OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device ManagementThe Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.

OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.

OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.

Internet Identity ServicesInternet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.

Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)

A protected application is accessed by the user which in turn is intercepted the WebGate.

The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.

The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider

The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.

The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.

Access Manager creates a user session and redirects the user to the protected resource

They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.

The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.

Generic REST APIOracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API SecurityOracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.

Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.Sequence of steps involved in OES powered authorization and 'redaction' process

A mobile application request which is intercepted by OAG delegates authentication to OAM.

OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.

After successful authentication and authorization, the user is granted access to requested resource (business application).

Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.

OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

ConclusionI hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications. Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the AuthorAbhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.